VPN Encryption Is Broken? Not Exactly…

The latest Snowden revelations that governments in the U.S., Canada, Australia, and elsewhere have broken encryption are not entirely new. Nor should people be surprised. After all, key encryption protocols were developer by U.S. government spy agencies, so we should…

The latest Snowden revelations that governments in the U.S., Canada, Australia, and elsewhere have broken encryption are not entirely new. Nor should people be surprised. After all, key encryption protocols were developer by U.S. government spy agencies, so we should always expect some sort of backdoor access or undisclosed weakness.

That doesn’t make these public revelations any less worrisome.

As for Virtual Private Networks, news outlets are reporting that VPNs are vulnerable. This is not exactly true. SSL appears to be compromised, and therefore browser-based SSL VPNs are at risk. But VPN providers providing OpenVPN, PPTP, and IPSec/L2TP protocols appear fine (until we hear of the next revelation that state they are not fine.

But users of VPNs in places like China already know that they are targets. Many news outlets have stated for over a year that VPNs are blocked in China. That is not true. Instead, they have repeatedly been filtered. There is a difference between blocking and filtering. In most cases, it would be impossible to block VPN traffic on L2TP, OpenVPN, or PPTP without blocking most other “innocuous” traffic of users visiting bank websites, e-commerce sites, etc. But with filtering, the Chinese Internet police are filtering highly encrypted traffic for DPI (deep packet inspection). It still takes supercomputers and lots of time to decrypt this traffic, so in China this type of traffic is being filtered.

But what all VPN users need to worry about is collusion between governments and websites to track VPN users. These latest revelations appear to say that people using encrypted traffic are now targets. That is worrisome even more so because one of the few ways governments can spot this type of data is by working with website operators. So the next time you use Yahoo, MSN, Amazon, eBay, and other sites you should ask yourself if the executives running those websites are doing the right thing, or not.